CVE-2022-37044: 
Zimbra Collaboration Server vulnerability analysis and mitigation

In Zimbra Collaboration Suite (ZCS) 8.8.15, the URL at /h/search?action accepts parameters called extra, title, and onload that are partially sanitised and lead to reflected XSS that allows executing arbitrary JavaScript on the victim's machine (CVE Mitre).

The vulnerability exists in the search functionality of Zimbra Collaboration Suite 8.8.15, specifically at the /h/search?action endpoint. The issue stems from insufficient sanitization of three parameters: extra, title, and onload. When these parameters are processed, the partial sanitization allows for reflected cross-site scripting attacks that can execute arbitrary JavaScript code in the victim's browser context (CVE Mitre, Zimbra Security).

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of the victim's browser session. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions performed within the user's authenticated session (CVE Mitre).

The vulnerability has been patched in Zimbra Collaboration Suite 8.8.15 Patch 33. Users are advised to upgrade to this version or later to mitigate the risk (Zimbra Security).